[FFmpeg-devel] [PATCH] matroskadec: Fix a buffer overread
Måns Rullgård
mans
Sat Mar 6 13:24:14 CET 2010
David Conrad <lessen42 at gmail.com> writes:
> ---
> libavformat/matroskadec.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> index 84d06c7..3ee9f39 100644
> --- a/libavformat/matroskadec.c
> +++ b/libavformat/matroskadec.c
> @@ -1676,6 +1676,11 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
> int offset = 0, pkt_size = lace_size[n];
> uint8_t *pkt_data = data;
>
> + if (lace_size[n] > size) {
> + av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n");
> + continue;
> + }
> +
> if (encodings && encodings->scope & 1) {
> offset = matroska_decode_buffer(&pkt_data,&pkt_size, track);
> if (offset < 0)
> @@ -1727,6 +1732,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
> if (timecode != AV_NOPTS_VALUE)
> timecode = duration ? timecode + duration : AV_NOPTS_VALUE;
> data += lace_size[n];
> + size -= lace_size[n];
> }
> }
Looks correct to me. Aurelien seems MIA so I'd suggest applying this
if it passes tests.
--
M?ns Rullg?rd
mans at mansr.com
More information about the ffmpeg-devel
mailing list